AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 10:07:52 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5356 Members
Latest Member: Gagabaksik
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Graybird.O 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Backdoor.Graybird.O  (Read 385 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
Backdoor.Graybird.O
« on: September 04, 2005, 09:13:01 PM »
Backdoor.Graybird.O is a Trojan horse that opens a back door and contacts a remote attacker for additional commands.

When Backdoor.Graybird.O is executed, it perform the following actions:

   1. Creates the mutex, "VIP2.0_MUTEX" so that only one copy of the Trojan is executed on the compromised computer.

   2. Registers itself as the following service:

      Display name: VMWare Authorization Servicec

   3. Creates the following registry subkeys so that the new service is executed every time Windows starts:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \GrayPigeonServer
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
      \LEGACY_VMWARE_AUTHORIZATION_SERVICEC

   4. Copies itself as the following hidden file:

      %ProgramFiles%\Server\Server.exe

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

   5. Drops the following file:

      %System%\8g.DLL

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   6. Starts an Internet Explorer process (IEXPLORE.EXE) and overwrites it completely in memory with its malicious code to hide its presence on the process list.

   7. Attempts to connect to a remote attacker at the following Web servers on ports 80 and 8005:

          * [http://]50071.huigezi.org/[REMOVED]
          * [http://]vip.huigezi.com/[REMOVED]
          * [http://]up.huigezi.org/[REMOVED]
          * [http://]ns1.3322.net/[REMOVED]

   8. Performs the following commands on the compromised computer, if a connection is successful:

          * Steal personal information
          * Download and execute a remote file

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to and delete the following subkeys:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      \GrayPigeonServer
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
      \LEGACY_VMWARE_AUTHORIZATION_SERVICEC

   5. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: Backdoor.Graybird.O « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!